By Jake Valletta

June 8th, 2011

About Me

Education A. S. Hudson Valley Comm. College, 2009

B. S. Rochester Institute of Technology, 2011

○ Information Security & Forensics

Experiences Numerous Internships

MANDIANT Corp., June 2011

○ Pen testing / Incident Response

Interests Network Security & Forensics

Binary / Malware Analysis

Programming: C / Python

Agenda

Data Exfiltration

Covert Channel Basics

Examples

Demonstrations

Detection Methods

Conclusion

Data Exfiltration

The leaking of sensitive information

Company secrets

Source code

Client information

A primary goal of an attacker

Can have a big impact on company

Impact

Loss of company & client information

Company’s reputation at stake

○ Sony anyone…?

Per state law, incidents must be reported in

several states

○ NYS Information Security Breach and Notification Act 2005

Attack Life Cycle

Source: Ed Skoudis, Tom Liston - Counter Hack Reloaded, 2006 (Pearson)

Reconnaissance ○ Whois, Company Website

Scanning ○ Port scanning, service enumeration

Gaining Access ○ Exploiting software, buffer overflows

Maintaining Access ○ Root-kits, backdoors

Covering Tracks & Hiding ○ Cleanse logs, exfiltrate data

Exfiltration Methods

Source: A. Giani et al. - Data Exfiltration and Covert Channels

Physical

USB Thief

Laptop Thief

Cognitive

Social Engineering

Shoulder Surfing

Network Based

FTP / SSH / HTTP

Network–based Covert Channels

…But I have a firewall(s), right?

Source: http://www.cisco.com

Firewalls: Not the Cure-all!

Not as much focus on outbound traffic

Majority are signature-based

Need to be configured properly to be

effective

Covert Channels

“Covert channels use means of communication not

normally intended to be used for communication, making

them quite elusive.”

Source: caia.swin.edu.au/cv/szander/publications/szander-ieee-comst07.pdf

“Encryption only protects communication from being decoded by unauthorized parties, whereas covert

channels aim to hide the very existence of the communication.”

Prisoner Problem

Prisoner Problem

Prisoner Problem

Allows a secret communication channel across an

unsecure channel

Nothing unordinary is observed, so it is stealthy

Role of Wendy the Warden can impact the

channel’s effectiveness

Active, Passive, Malicious

Covert Channel Types

Storage Based

○ The information we want to send is ‘stored’

somewhere in the overt communication channel

Timing Based

○ The timing of an overt communication channel is

the covert channel

Storage Channels

Hide data in protocol headers

Requires modification of overt channel, OR a

‘fake’ overt channel

Some can be detected and mitigated with

proper firewall rules

Timing Channels

Very difficult to create

Latency issues

Very difficult to find

Doesn’t require modification to an existing

communication stream

Things to Consider

Things to Consider

Do we need bidirectional or unidirectional

covert channel?

What kind of warden is present?

Python

Modern interpreted programming language

Powerful, fast & easy to follow syntax

Extensive built-in libraries

Plays well with C / Java / .NET code

Open-source

Language of choice for ‘hackers’ and reverse-

engineers

Excellent for prototyping and POC code

Python Website: http://www.python.org/

Scapy

Powerful interactive packet manipulation

program

Forge and decode custom packets

Sniff network traffic or read captured packets

Combines functionality of many tools

○ nmap, hping3, p0f, tcpdump

Can import into Python 2.5+

Scapy Website: http://www.secdev.org/projects/scapy/

Coding a TCP Packet in C

Coding a TCP Packet in C

…And with Scapy

ICMP – The Protocol

Internet Control Message Protocol

Used in error reporting & network diagnostics

‘ping’ (Echo Request / Reply)

Windows ‘tracert’ (TTL Exceeded)

Need to Fragment, Destination Unreachable, Port

Administratively Filtered, Redirect, etc.

Should be disabled (?)

The ICMP Header

Source: http://www.insecure.in/packet_header_analysis.asp

ICMP Echo Request

*ICMP Echo created by Windows NT TCP/IP Stack

Analysis

Type – 0x08 (Echo Request)

Distinguishes this as a ‘ping’

Code – 0x00

Checksum

Checked for packet integrity by routers

ID – 0x0001

Sequence – 0x0001

Data – 32 bytes

Of what…?

Exploring

According to RFC 792, the only value for the

code field in an ICMP Echo message is 0.

Code is used in other ICMP messages (think ‘subtype’)

Changing the code does not invalidate the message

ID differentiates sessions, much like a TCP /

UDP port

Changing the ID does not invalidate the message

Sequence is a counter for a session

Changing the Sequence does not invalidate the message

Options

A storage based covert channel can be created

using these fields

Each field can hold data to be sent

Data can be tunneled over the payload field

Encryption to obscure context

Shouldn’t be detected / blocked by IDS or Firewall

Restrictions

Some networks filter / drop ICMP traffic

Superfluous traffic

Additional attack vector

Could be detected by IDS

Why so many pings?

Concept has been around for awhile

lokid (Phrack Magazine, 1997)

DNS – The Protocol

Used primarily for name resolution

What is the IP address for www.google.com?

Hierarchical design

Must be allowed in and out of firewall

A DNS Request

Exploring

The query of the request could be modified

DNS lookups for A, CNAME and TXT records

The ‘Name’ field can contain our data

Multiple ‘questions’ can be specified

But packet size must be less than MTU, as DNS sets

‘Don’t Fragment’ flag in IP header (per RFC)

Valid DNS requests use character: [a-zA-Z0-9\-]

Example Flow

Options

Looks like a legitimate DNS request

How can an IDS tell it’s forged?

Encryption can obscure the message

Provides a good unidirectional covert channel

Can be made bidirectional with CNAME / TXT requests

(OZYmanDNS, NSTX)

Advantages

Shouldn’t be blocked by any firewall

DNS is required to be allowed out of the firewall

Very hard to detect or filter

You’d be surprised what domains exist

Even if it is detected, encryption can protect

payload

IPv6 / ICMPv6 – The Protocols

Next Generation

Development started in early 1990s

Secure (?)

Slowly but surely replacing IPv4

ICMPv6 is integrated into IPv6

Neighbor Discovery Protocol (NDP)

ICMPv6 Echo Request

Exploring

Traffic Class is the replacement for ‘Type of

Service’ in IPv4

Used in real-time data (VoIP)

Flow Label is used to quickly process real-time

data

Saves time by not examining entire header, because it

already knows about this ‘flow’

Code, Sequence, and ID are still the same

Ping6ed machine won’t respond if code isn’t 0

Options

Traffic Class & Flow Label can be modified

Shouldn’t affect packets travel (?)

Modulate ICMPv6 fields

Just like ICMPv4

Tunnel Data in payload section

v00d00N3t (R. P. Murphy, DEFCON14)

Advantages

Still not fully understood / deployed

Firewalls / IDS might not be fully aware

RFC’s might not be strictly followed

ICMPv6 cannot be turned off anymore

“ICMPv6 is an integral part of IPv6 and MUST be fully

implemented by every IPv6 node.” (RFC 2463)

Topology

(Good luck!)

The Problem

The very nature of a covert channel makes it hard

to find

How do you know to look for something that you don’t

know you needed to look for?

Once you do detect it, how do you stop it?

The data is already leaked!

Solutions

Signature-based Approach

How most antivirus, DLP, IDS & IPS solutions work

Will not detect new covert channels

Resource intensive

Behavioral-based Approach

Not as common

Resource intensive (full packet inspection)

Capability to detect known and unknown storage channels

Contact Information

Email

javallet@gmail.com

jrv1197@rit.edu

LinkedIn

http://www.linkedin.com/pub/jacob-valletta/20/aa1/57

Questions, ideas, source-code, projects, etc.